Search

US-12621322-B2 - Method and network node for detecting anomalous access behaviours

US12621322B2US 12621322 B2US12621322 B2US 12621322B2US-12621322-B2

Abstract

Embodiments of the present disclosure provide a method, a network node, and a computer program product for detecting anomalous access behaviours in a plurality of network nodes in a communication network. The method is performed in a network in the communication network. The method includes obtaining session logs associated with the plurality of network nodes in the communication network. The method includes extracting session features for each session by evaluating the session logs associated with the plurality of network nodes. Further, the method includes determining access behaviours associated with each session based on the extracted session features, the access behaviours associated with each session including a representation indicative of one or more of session characteristics, user access characteristics, network node access characteristics and command usage characteristics. The method further includes detecting (S 14 ) anomalous access behaviours by analysing the determined access behaviours.

Inventors

  • Mahesh Babu JAYARAMAN
  • Kavita Padmanabhan

Assignees

  • TELEFONAKTIEBOLAGET LM ERICSSON (PUBL)

Dates

Publication Date
20260505
Application Date
20201230

Claims (17)

  1. 1 . A method for detecting anomalous access behaviours in a plurality of network nodes in a communication network, the method being performed in at least one network node in the communication network, wherein the method comprises: obtaining session logs associated with the plurality of network nodes in the communication network; extracting session features for each session by evaluating the session logs associated with the plurality of network nodes, wherein extracting session features comprises: obtaining input data sets, the input data sets comprising a set of command lines, a set of non-command lines, and a set of pre-defined commands indicative of a command type, a command category, safe commands, and risky commands; and evaluating a set of command lines in the session logs using the obtained input data sets and the set of pre-defined commands; determining access behaviours associated with each session based on the extracted session features, wherein the access behaviours associated with each session comprising a representation indicative of one or more of session characteristics, user access characteristics, network node access characteristics and command usage characteristics; and detecting the anomalous access behaviours by analysing the determined access behaviours.
  2. 2 . The method according to claim 1 , wherein evaluating the set of command lines in each of the session logs based on the obtained input data sets and the set of pre-defined commands comprises: determining a set of command lines in each of the session logs based on the obtained input data sets comprising the set of command lines, the set of non-command lines and the set of pre-defined commands; and extracting features associated with the determined set of command lines in each of the session logs.
  3. 3 . The method according to claim 2 , wherein determining the set of command lines in each of the session logs comprises: extracting multiple lines from each of the session logs; converting one or more special characters and spaces identified in each line of the session logs to an equivalent vector of strings; and determining the set of command lines in each of the session logs using a model trained with the obtained input data sets.
  4. 4 . The method according to claim 1 , wherein determining the access behaviours comprising the representation indicative of the session characteristics associated with each session comprises: obtaining the extracted session features for each session; identifying textual features in a set of command lines from the session features for each session; translating the identified textual features in the set of command lines to an equivalent vector using a vectorizer; and creating a numerical representation for the set of command lines for each session, wherein the numerical representation is created by applying a feature vector for each command line in the set of command lines and the translated textual features.
  5. 5 . The method according to claim 1 , wherein determining the access behaviours comprising the representation indicative of the user access characteristics associated with each session based on the extracted plurality of session features comprises: obtaining the extracted session features for each user; determining user access patterns for each session of the user from the extracted session features based on one or more of a number of sessions for each user, a number of network nodes accessed for each user, a number of risky commands executed by each user, and a duration of the sessions for each user; determining user session patterns for each session of the user from the extracted session features based on one or more of command lines for each session and command category for each session; and determining the user access characteristics by combining the determined user access patterns and determined user session patterns.
  6. 6 . The method according to claim 1 , wherein determining the access behaviours comprising the representation indicative of the network node access characteristics associated with each session based on the extracted plurality of session features comprises: obtaining the extracted session features for each node; determining node access patterns for each session of the node from the session features based on one or more of a number of sessions for each node, a number of users accessed for each node, a number of risky commands executed for each node, and a duration of the sessions for each node; determining node session patterns for each session of the node from the session features based on one or more of command lines for each session and command category for each session; and determining the node access characteristics by combining the determined node access patterns and determined node session patterns.
  7. 7 . The method according to claim 1 , wherein determining the access behaviours comprising the representation indicative of the command usage characteristics associated with each session based on the extracted plurality of session features comprises: obtaining the extracted session features for each session; extracting one or more of a number of risky commands and a number of safe commands executed from the plurality of session features for each session; and determining the command usage pattern based on frequency such as frequent commands or rare commands and the number of risky commands executed.
  8. 8 . The method according to claim 1 , wherein detecting anomalous access behaviours by analysing the determined access behaviours comprises: obtaining the representation indicative of one or more of the session characteristics, the user access characteristics, the network node access characteristics and the command usage characteristics; detecting the anomalous sessions by applying anomaly detection on the obtained session characteristics; detecting the anomalous users by applying anomaly detection on the obtained user access characteristics; detecting the anomalous network nodes by applying anomaly detection on the obtained network node access characteristics; and detecting the anomalous commands from the obtained command usage characteristics by analysing the number of risky commands and the number of safe commands executed for each session.
  9. 9 . The method according to claim 1 , further comprising: causing to display the detected anomalous access behaviours being indicative of one or more of anomalous sessions, anomalous users, anomalous network nodes and anomalous commands.
  10. 10 . A network node for detecting anomalous access behaviours in a plurality of network nodes in a communication network, the network node comprising a data processing unit; and a memory storing instructions that, when executed by the data processing unit, cause the network node to: obtain session logs associated with the plurality of network nodes in the communication network; extract a plurality of session features for each session by evaluating the session logs associated with the plurality of network nodes, wherein extracting session features comprises: obtaining input data sets, the input data sets comprising a set of command lines, a set of non-command lines, and a set of pre-defined commands indicative of a command type, a command category, safe commands, and risky commands; and evaluating a set of command lines in the session logs using the obtained input data sets and the set of pre-defined commands; determine access behaviours associated with each session based on the extracted plurality of session features, wherein the access behaviours associated with each session comprises a representation indicative of one or more of session characteristics, user access characteristics, network node access characteristics and command usage characteristics; and detect the anomalous access behaviours by analysing the determined access behaviours.
  11. 11 . The network node according to claim 10 , wherein the network node is in communication with the plurality network nodes in the communication network and is configured for accessing the session logs associated with the plurality network nodes for a pre-configured time interval for detecting anomalous access behaviours in the communication network.
  12. 12 . The network node according to claim 10 , wherein the network node is configured to determine the access behaviours comprising the representation indicative of the session characteristics associated with each session by: obtaining the extracted session features for each session; identifying textual features in a set of command lines from the session features for each session; translating the identified textual features in the set of command lines to an equivalent vector using a vectorizer; and creating a numerical representation for the set of command lines for each session, wherein the numerical representation is created by applying a feature vector for each command line in the set of command lines and the translated textual features.
  13. 13 . The network node according to claim 10 , wherein the network node is configured to determine the access behaviours comprising the representation indicative of the user access characteristics associated with each session based on the extracted plurality of session features by: obtaining the extracted session features for each user; determining user access patterns for each session of the user from the extracted session features based on one or more of a number of sessions for each user, a number of network nodes accessed for each user, a number of risky commands executed by each user, and a duration of the sessions for each user; determining user session patterns for each session of the user from the extracted session features based on one or more of command lines for each session and command category for each session; and determining the user access characteristics by combining the determined user access patterns and determined user session patterns.
  14. 14 . The network node according to claim 10 , wherein the network node is configured to determine the access behaviours comprising the representation indicative of the network node access characteristics associated with each session based on the extracted plurality of session features by: obtaining the extracted session features for each node; determining node access patterns for each session of the node from the session features based on one or more of a number of sessions for each node, a number of users accessed for each node, a number of risky commands executed for each node, and a duration of the sessions for each node; determining node session patterns for each session of the node from the session features based on one or more of command lines for each session and command category for each session; and determining the node access characteristics by combining the determined node access patterns and determined node session patterns.
  15. 15 . The network node according to claim 10 , wherein the network node is configured to determine the access behaviours comprising the representation indicative of the command usage characteristics associated with each session based on the extracted plurality of session features by: obtaining the extracted session features for each session; extracting one or more of a number of risky commands and a number of safe commands executed from the plurality of session features for each session; and determining the command usage pattern based on the extracted one or more of the number of risky commands and the number of safe commands executed for each session.
  16. 16 . The network node according to claim 10 , wherein the network node is configured to detecting anomalous access behaviours by analysing the determined access behaviours by: obtaining the representation indicative of one or more of the session characteristics, the user access characteristics, the network node access characteristics and the command usage characteristics; detecting the anomalous sessions by applying anomaly detection on the obtained session characteristics; detecting the anomalous users by applying anomaly detection on the obtained user access characteristics; detecting the anomalous network nodes by applying anomaly detection on the obtained network node access characteristics; and detecting the anomalous commands from the obtained command usage characteristics by analysing the number of risky commands and the number of safe commands executed for each session.
  17. 17 . A computer program product comprising a non-transitory computer readable medium, having thereon a computer program comprising program instructions, the computer program being loadable into a data processing unit and configured to cause execution of the following method when the computer program is run by the data processing unit: obtaining session logs associated with the plurality of network nodes in the communication network; extracting session features for each session by evaluating the session logs associated with the plurality of network nodes, wherein extracting session features comprises: obtaining input data sets, the input data sets comprising a set of command lines, a set of non-command lines, and a set of pre-defined commands indicative of a command type, a command category, safe commands, and risky commands; and evaluating a set of command lines in the session logs using the obtained input data sets and the set of pre-defined commands; determining access behaviours associated with each session based on the extracted session features, wherein the access behaviours associated with each session comprising a representation indicative of one or more of session characteristics, user access characteristics, network node access characteristics and command usage characteristics; and detecting the anomalous access behaviours by analysing the determined access behaviours.

Description

CROSS REFERENCE TO RELATED APPLICATIONS This application is a 35 U.S.C. § 371 national stage application of PCT International Application No. PCT/IN2020/051071 filed on Dec. 30, 2020, the disclosure and content of which is incorporated by reference herein in its entirety. TECHNICAL FIELD The present disclosure relates to detection of anomalous access behaviours. More particularly, to method, network node and computer program products for detection of anomalous access behaviours in a plurality of network nodes of a communication network. BACKGROUND Different mechanisms have been developed to detect various network security threats. The security threats can originate from malicious activities of a human, such as a hacker or a malicious insider, and/or from activities of malicious code. These malicious activities can cause harm to the network's software or hardware, or its users. Malicious activities may include unauthorized access or subsequent unpermitted use of network resources and data. Network administrators seek to detect such activities, for example, by searching for patterns of behaviour that are abnormal. An existing mechanism of terminal session-based access-proxying enables controlled access to an infrastructure. Such access is typically required for remote administrators/users. The terminal access-proxy mechanism enables terminal (i.e., a network node) access to the users. Such infrastructure is typically used in managed services, network operations and during network management to carry out administrative and other similar tasks using terminal sessions, where the user enters the prompt in a terminal that provides access using various commands that can be executed as applicable. Such operations carried out and commands entered may vary and may be contextual depending on the infrastructure, applications and its types of use. Some managed service operations include, for example, managing charging solutions in a number of customer networks where the administrators access charging solution nodes for remote administration purposes. For example, the charging solution may contains “screen” utility-based capture of terminal session logs. These terminal session logs are highly unstructured and such terminal session logs contain enormous and essential monitoring information for effective operations. Existing systems that takes session logs or user behaviour data mostly consume structured or standardized information sets. The existing systems do not accept terminal session logs which are recorded on a per user login basis and the contents of the terminal session are syntactically and semantically different. Conventional scanning of every such terminal session log for understanding abnormal, anomalous, suspicious, outlier or rare conditions and threat behaviours is a difficult task, and monitoring the terminal session logs is performed using rule-based systems i.e., by matching for patterns of known commands that are not desirable in each deployment. Each deployment may have its customized list which is checked for tagging behaviours as suspicious activities. Further, the contents of terminal session logs may vary due to different deployments i.e., different applications running in nodes which contribute towards the heterogeneity in the session logs. Other factors include operating system, shell used, system configurations, commands that are specific to certain node. Due to such diverse nature, the terminal session logs may have diverse variations which makes it difficult to abstract out into a single set of patterns/rules, making it very difficult to comprehend the terminal session logs. Consequently, there is a need for improvement in this field of technology and then especially a need for new mechanisms to improve the detection of anomalous access behaviours for enhancing the safety of network nodes. SUMMARY It is therefore an object of the present disclosure to provide a method, a computer program product, and a network node for detecting access behaviours that seeks to mitigate, alleviate, or eliminate all or at least some of the above-discussed drawbacks of presently known solutions. This and other objects are achieved by means of a method, a computer program product, and a device as defined in the appended claims. The term exemplary is in the present context to be understood as serving as an instance, example or illustration. According to a first aspect of the present disclosure, a method for detecting anomalous access behaviours in a plurality of network nodes in a communication network is provided. The method is performed in at least one network node. The method comprises obtaining session logs associated with the plurality of network nodes in the communication network. The method comprises extracting session features for each session by evaluating the session logs associated with the plurality of network nodes. Further, the method comprises determining access behaviours associated with each session